Ok, but what about disabling session cookies altogether ?
Bye,
Christian
--
Christian Mallwitz INTERSHOP Communications Germany
Senior Software Engineer phone: +49 3641 894 334
> -----Original Message-----
> From: Ralph Einfeldt [mailto:[EMAIL PROTECTED]]
> Sent: Friday, November 17, 2000 15:03
> To: '[EMAIL PROTECTED]'
> Subject: AW: JSP and automatic session id URL rewriting
>
>
> Even if it is possible, but I wouldn't do it.
>
> You would have to parse your output after it is generated
> and before you really send it to the requesting client.
> The parsing has to be quite flexible to recognise links
> to external site as it is not a good practice to include
> the session id in links to external sites. (That would
> open the door to steal the session).
> There are several ways to code URL's in a way that it
> is hard to say which site will be the target. Just two
> examples:
> 1:
> <base href="some.server.domain"><a href="/some/image.gif"></a>
> 2:
> <script>
> someServer = 'someServer';
> someFunction() {
> return someServer + '/some/image.gif';
> }
> </script>
> <a href="javasript:someFunction()">
>
> So this leads to quite some effort in development (or
> organisation, if you try to come around this by enforcing
> apropriate policies four your web developers) and
> performance penalty. And I bet: you will never be shure
> if there isn't a whole anywhere.
>
> > -----Urspr�ngliche Nachricht-----
> > Von: Christian Mallwitz [mailto:[EMAIL PROTECTED]]
> > Gesendet: Freitag, 17. November 2000 13:34
> > An: '[EMAIL PROTECTED]'
> > Betreff: JSP and automatic session id URL rewriting
> > Is it possible to
> > - force all JSP generated URLS to include a session id
> > without having to wrap them in encodeURL()
> > - disable generatation of session cookies
>
